How to prevent mixed content and insecure warnings from web browsers ?

Question:

When listeners tune in to my stream, a warning shows up in the browser's address bar with the message "mixed content" or "not secure". How can I stop these warning messages from showing up?

Answer:

Modern web browsers will show such alerts when the content (or a portion of it) being displayed has not been encrypted using SSL/TLS (hereafter referred to collectively as TLS). To prevent these alerts from showing up, all elements in your website must be encrypted, including the audio data coming from Shoutcast or Icecast.

As of version 3.2.14, Centova Cast offers full support for encrypting the audio stream of your station(s) using TLS.

The recommended method for serving encrypted audio streams is to set up Centova Cast's stream proxy as described in this article

After the stream proxy has been successfully set up, you will need to enable proxy support for an account under settings > limits, after which tune-in links for the proxy will be displayed both on the stream's Quick Links page as well as on the stream's start page.

Shoutcast/Icecast Native TLS support

Both Shoutcast (v2.6+) and Icecast (v2.4+) have implemented native support for SSL (also supported by Centova Cast as of v3.2.14), which allows for per-station individual SSL configuration by end-users. End-users looking to use their own domain names for TLS-enabled raw tune-in links can use this feature.

How do I enable native TLS support access for users ?

  1. Login as administrator, then go the station's settings, and enable "Allow native TLS:" under the TLS/SSL tab.
  2. Set the user's domain name under settings > stream > hostname

What are the requirements for setting up native TLS support ?

  1. A domain or sub-domain pointed at the station's IP address.
  2. An SSL certificate issued to the domain or sub-domain by a trusted certificate authority.

How do users set up native TLS support ?

(Notice for Shoutcast 2 users)

Shoutcast v2.6.0 requires a premium license key that is no longer obtainable, as shoutcast.com has abandoned that business model. Clients seeking native TLS support with Shoutcast 2 will need to upgrade to v2.6.1 (which enables premium features without the need of a license key) by running:

/usr/local/centovacast/sbin/update --shoutcast2 --force

... from the command line.

Once Shoutcast v2.6.1 is installed, or if you are using Icecast2 instead, TLS support can be enabled as follows:

  1. In the station's settings, set the "Enable native TLS:" option to Yes.
  2. Enter the TLS certificate followed the CA-Bundle in the "Certificate chain:" box.
  3. Enter the certificate's private key in the "Certificate private key:" box.
  4. Click the "Test TLS" configuration button to make sure the certificate is valid and matches the domain name.
  5. Click the update button to save the settings, then restart the station.

How do listeners tune in via native TLS ?

Once native TLS has been successfully set up, new TLS tune-in links will be displayed under the Quick Links section of the station's dashboard.